When one thinks of cyber attacks on industrial networks, one often pictures advanced nation-state threat actors using sophisticated techniques (i.e. the Stuxnet virus). A report from Mandiant Threat Intelligence indicates that the modern trend may be in the other direction.
The report finds that adversaries are experiencing success with simpler attacks, making use of common tools and techniques to breach the operational technology (OT) systems that bridge the internet and industrial controls. This success stems from the fact that many of these OT systems are visible and poorly secured; most of the attackers have no particular interest in industrial systems or critical infrastructure, they are simply picking off low-hanging fruit.
OT systems exposed amidst wave of more general cyber attacks
The Mandiant report examines not just cyber attacks that consist of ransomware delivered via a compromised employee account, but also those that escalated to the ability to directly control elements of OT systems. Some of the attackers actually interacted with the systems in some way, while others have been found selling direct access to these components.
In most cases, these cyber attacks are not sophisticated. They are also mostly in the realm of lower-level profit-seeking criminals (or activists looking to make a statement) rather than nation-state threat actors engaging in espionage or an attempt at infrastructure damage.
The OT cyber attacks are also generally not targeted; one of the most worrying features of this study is that industrial networks appear to simply be sitting on the internet open to intrusion. Even low-level cyber criminals are able to penetrate OT systems that could cause serious damage if manipulated. The only thing that appears to be stopping them is a lack of desire to do physical damage; the types of criminals that hit upon these unprotected systems also tend to be those that are focused on making some quick money.
The study focuses on incidents from between January 2020 and April 2021. There was at least one incident involving industrial networks every month during this period, with the exception of short breaks in August-September 2020 and March 2021. Several times there were three different attacks on OT systems in a month. In some cases an incident on the dark web, such as a posting of the IP addresses of industrial networks or tutorials on how to access and manipulate specific OT systems, were spotted just before a related incident took place.
Richard Blech, Founder & CEO of XSOC CORP, adds some insight as to why relatively amateur attackers seem to be finding such a clear path to the controls of industrial networks: “Industrial enterprises are unable to rely on conventional data security solutions, including standard encryption or PKI, for OT security; these measures are not applicable in OT infrastructure because they are unable to comply with industry protocol and standard (i.e., four millisecond time latency requirements). It is also why many vendors that provide security solutions for OT networks prioritize the monitoring of the systems rather than provide security solutions that can protect the data that travels between the PLC and HMI. By default, implementing a response and recovery plan is how many industrial enterprises experience cyber attacks. Hackers of all skill levels are supremely aware of this, and the promise of easy (relatively) clout and/or financial gain is motivating … Unfortunately, industrial enterprise leaders should expect breaches to continue and grow in number as long as they fail to utilize preventative OT security solutions in conjunction with applying best security practices. Securing the data that traverse OT networks requires the use of cryptography technology that can work with legacy systems and provide enhanced encryption and user authentication for all access vectors, all while complying with standards and regulations … The growing prevalence of the low sophistication OT attacks highlights the fact that the data security measures that are in place are lacking and have vulnerabilities that are ripe for attack. In many cases, while OT has been progressing, the security for those systems has not been keeping pace. As long as the OT security of an industrial enterprise lags behind the progress of its IT/OT convergence, there is likely to be an increase in data breaches in industrial environments.”
When low-tech attackers penetrate industrial networks
So if these attackers are relatively unsophisticated and money-motivated, why would they take the time to learn about industrial networks enough to interact with real world components? The study mentions that many of these systems have user-friendly GUIs that simplify complex processes and make it possible for attackers to learn how to use industrial controls without a lot of effort.
Attackers also sometimes post tutorials and videos documenting what they’ve discovered about controlling elements of these industrial networks; the study finds that this most commonly occurred with postings that have anti-Israel and pro-Palestine rhetoric, and point toward targets in Israel.
The study also notes that politically motivated attackers sometimes don’t know what they’re doing, especially when dealing with systems in languages other than their own. It posts amusing screenshots of a German threat actor who thought that the controls for model train sets were used to control passenger rail. Another attacker, apparently based in Iran, triumphantly posted screenshots purporting to be a breach in retaliation for missile attacks in that country. It turns out that the cyber attacks had simply compromised a kitchen ventilation system in an Israeli restaurant.
Still, Mandiant sees this category of cyber attacks as a growing threat. The more that are publicized, the more threat actors realize that it does not necessarily take much sophistication or effort to breach these systems. The quality of information being shared about industrial networks in underground forums has also greatly increased in the past year, and it seems only a matter of time before ransomware groups hit upon making use of it to deliver even more devastating attacks. Mandiant recommends cyber security answers such as removing OT systems from public-facing networks whenever possible, using common scanning systems (such as Shodan) to see if company assets are available to attackers, and applying hardening techniques to remotely accessible and edge devices.